The University of North Carolina (UNC) School of Medicine in Chapel Hill has begun notifying women who were part of a mammography research project that their Social Security numbers and other personal data may have been exposed when hackers breached the security of a database containing information recorded as part of the project—nearly two months after the breach occurred.
“We deeply regret that this security breach exposed thousands of people to the possibility of identify theft,” said Matthew Mauro, MD, chair of the department of radiology. “We are working with information security specialists and law enforcement to understand how this happened and to put measures in place to prevent it from happening again.”
The database, called the Carolina Mammography Registry, serves as a resource for researchers and radiologists who practice mammography. The registry collects data from community-based mammography practices throughout North Carolina, and is part of a national mammography project funded by the National Cancer Institute.
UNC reported that the server contained personal information, including some Social Security numbers, for approximately 236,000 individuals.
According to the university, mammography practices participate in the project to promote research on screening mammography and to receive feedback that allows them to compare their outcomes with others in North Carolina and in six other states. The registry relies on the data provided by mammography practices to conduct research on screening mammography practices and outcomes to improve breast cancer detection, understand risk factors, guide future research and inform policy makers.
In late July, university IT employees discovered that the registry had been the target of a criminal hacker attack. Once they learned that the server was compromised, school officials said the server was taken down and the data on the server were removed.
On Sept. 25, UNC said it began sending notification letters to each person who may have been affected, along with instructions for actions they should take to protect themselves against the possible fraudulent use of their information.